Fortinet Discloses Information Exposure Flaw in FortiNDR and FortiVoice
Fortinet disclosed an information exposure vulnerability in FortiNDR and FortiVoice that allows authenticated attackers with read-only access to retrieve backup files via crafted HTTP requests.
Fortinet has disclosed a medium-severity information exposure vulnerability affecting its FortiNDR network detection and response appliances and FortiVoice unified communications systems. Tracked as FG-IR-26-124 and assigned a CVSSv3 score of 5.4, the flaw stems from an exposure of sensitive information to an unauthorized actor (CWE-200). A remote authenticated attacker with at least read-only permission on system maintenance can access backup files by sending specially crafted HTTP requests, potentially exposing configuration data, credentials, or other sensitive information stored in backups.
The vulnerability impacts multiple versions of FortiNDR, including all releases from 7.0 through 7.6.0, with the exception of 7.6.1 which contains the fix. For FortiVoice, only version 7.0.0 through 7.0.1 is affected, while versions 7.2 and 7.4 are not vulnerable. Fortinet has released patches for both product lines: FortiNDR users should upgrade to 7.6.1 or 7.4.9 or above, while FortiVoice users must upgrade to 7.0.2 or later. Older FortiNDR branches (7.0, 7.1, 7.2) have no patch available and customers are advised to migrate to a fixed release.
The vulnerability was internally discovered and reported by Yonghui Han of the Fortinet Product Security team, indicating it was found during internal security testing rather than through external disclosure. The advisory was initially published on April 14, 2026, with no evidence of active exploitation in the wild at the time of disclosure. Fortinet's PSIRT has not added this vulnerability to CISA's Known Exploited Vulnerabilities catalog, and no public proof-of-concept code has been released.
While the CVSS score of 5.4 places this in the medium severity range, the practical risk is elevated by the low privileges required for exploitation. An attacker who has already gained a foothold with read-only system maintenance access—a relatively low bar in many enterprise environments—can pivot to extract backup files that may contain sensitive data such as network configurations, encryption keys, or user credentials. This type of post-exploitation information gathering is a common step in ransomware and data theft campaigns.
Fortinet's advisory does not specify whether the backup files are encrypted at rest or what specific data they may contain, but the CWE-200 classification suggests that any sensitive information in those backups could be exposed. Organizations running affected versions should prioritize patching, especially if they operate in regulated industries where backup data confidentiality is critical. The advisory also serves as a reminder that even read-only accounts can pose significant risks if they have access to backup repositories or system maintenance functions.
This disclosure follows a pattern of vulnerabilities in enterprise network appliances that allow authenticated users to access sensitive data. As organizations increasingly rely on network detection and response tools like FortiNDR for security monitoring, ensuring that these platforms themselves are hardened against privilege escalation and information disclosure is essential. Fortinet has not indicated any plans to backport fixes to end-of-life versions, reinforcing the importance of maintaining supported software versions.